similar to: Using Samba AD for NFSV4 Kerberos servers and clients

Hello Kevin, We have a  Samba/Windows20008R2 domain that's been running a few years now. Here are the details: * clients auth with SSSD (ldap, kerberos, ldap_schema=rfc2307bis) * idmap * samba on clients/server for joining domain We have scripts that automatically create users with UnixHomeDir, UID and GUID numbers within AD. I don't know about using WInbind...  I dropped that

I found one of my problems was that on the client, in the /etc/krb5.conf file, the domain name was in lower case. The one on the server was upper case. Upper case'ing the client one fixed my nfs4 mount issue, but now I have another one. The nfs4 krb5 export mounts on the remote client, but doesn't seem to recognize permissions. The mount directory is shown as owned by root and the

Hai, NfsV4 and samba works fine but there is a big BUT and you have found it already. > The nfs4 krb5 export mounts on the remote client, but doesn't seem to > recognize permissions. The mount directory is shown as owned by root and the group is 4294967294 Yes, the nfsv4 acls and system acl over kerberos doent match anymore. This is a know problem and i dont know when it wil be

Hello, I am searching for a solution that I thought should be kind of standard, but until now I was not successful finding anything. Here is the problem: At our site we offer windows and linux, most servers (eg file, samba, web) are linux based. User data is stored on NFS file servers. Windows systems are part of a Windows domain with an ADS domain controller. At the moment the linux samba

Hello Luc, thanks for your answer. If I understand you correctly than you are using samba4 as windows domaincontroller and you do not have another Windows DC? So after all you have exactly one Kerberos Server that is part of the samba4 server? Thanks Rainer Am 24.03.2015 um 12:41 schrieb Luc Lalonde: > Guten tag Rainer, > > We use our Samba4/Win2k8 AD domain to authenticate all our

On 09.07.2024 17:31, Luc Lalonde via samba wrote: > Hello, > > This problem has come back for me and I can't seem to get around it. > > When I try to access a share, I get this error: > > session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN > > Here's what I have in the logs (samba-4.20.1-1.el9.x86_64): > > [2024/07/09 11:22:26.747013,? 3] >

On Tue, 9 Jul 2024 14:21:58 -0400 Luc Lalonde <luc.lalonde at polymtl.ca> wrote: > I get the same error using 'net ads join' > > Here are my sanitized config files: > > ############## begin /etc/krb5.conf #################### > > includedir /etc/krb5.conf.d/ Samba does not like the 'includedir' line and doesn't require most of the other lines,

On Tue, 9 Jul 2024 11:31:04 -0400 Luc Lalonde via samba <samba at lists.samba.org> wrote: > Hello, > > This problem has come back for me and I can't seem to get around it. > > When I try to access a share, I get this error: > > session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN > > Here's what I have in the logs (samba-4.20.1-1.el9.x86_64): >

Hello Rowland, We’ve been using SSSD with Acitve Directory for a few years now… It’s been solid for us. Our Linux clients use the AD-Kerberos via SSSD for secure NFS4 mounts with POSIX attributes defined in AD (uidNumber, gidNumber, unixHomeDirectory, loginShell). Before putting into production, I tested using Winbind and could not get it to do what I wanted. If I remember correctly, I had

Hello Folks, There seems to be contradicting sentences in the release notes for 4.11.0RC1: Default schema updated to 2012_R2 --------------------------------- Default AD schema changed from 2008_R2 to 2012_R2. 2012_R2 functional level is not yet available. Older schemas can be used by provisioning with the '--base-schema' argument. Existing installations can be updated with the

Hello, This problem has come back for me and I can't seem to get around it. When I try to access a share, I get this error: session setup failed: NT_STATUS_NO_IMPERSONATION_TOKEN Here's what I have in the logs (samba-4.20.1-1.el9.x86_64): [2024/07/09 11:22:26.747013,? 3] ../../auth/kerberos/gssapi_pac.c:120(gssapi_obtain_pac_blob) ? gssapi_obtain_pac_blob: obtaining PAC via GSSAPI

On Tue, 9 Jul 2024 18:29:15 +0100 Rowland Penny via samba <samba at lists.samba.org> wrote: > On Tue, 9 Jul 2024 11:31:04 -0400 > Luc Lalonde via samba <samba at lists.samba.org> wrote: > > > Hello, > > > > This problem has come back for me and I can't seem to get around it. > > > > When I try to access a share, I get this error: > >

On Fri, 28 Apr 2017 09:41:31 -0400 Luc Lalonde <Luc.Lalonde at polymtl.ca> wrote: > Hello Rowland, > > Have you tried deleting a user, re-creating the same user and then > try to add him to a group? > > I'm convinced that this will point us in the right direction to > correct the bug. > Yes and to confirm it, I just did it again: samba-tool user create User2

On Fri, 28 Apr 2017 11:01:14 -0400 Luc Lalonde <Luc.Lalonde at polymtl.ca> wrote: > Hello Rowland, > > Is this what you mean? > > [root at roquefort ~]# echo $LANG > fr_CA.utf8 > What I was trying to get at is, does your username have any of those funny marks above some of the letters (you can tell I am English, I don't know the correct name for them because we

Ahh ok, thanks for the clarification!?? I'll go to bed less ignorant tonight ;-) On 2019-07-29 12:07 p.m., Rowland penny via samba wrote: > On 29/07/2019 16:41, Luc Lalonde wrote: >> The first sentence says that default schema has changed from 2008R2 >> (schema 47) to 2012R2 (schema 69). >> >> This does not mean that we're now at Windows 2012R2 functional level

Hello Folks, I've just seen that these commands will be removed in 4.21: net ads keytab add <principal> net ads keytab delete <principal> net ads keytab add_update_ads What are the alternate tools that can be used to modify the keytab? Will SPN manipulations continue to work? Here's what I use: net ads keytab add_update_ads nfs/$(hostname -f) -U Administrator Thank You!

The user exists in AD: - I can see the user using 'wbinfo', 'samba-tool user list' - I can add the user to a group with 'Active Directory Users and Computers' in Windows 2008R2 - It's seems impossible to use 'samba-tool group addmembers foogroup foouser' I looked at the user's attributes but can't find anything different from any other user that

Hello, I'm wondering if there's a plan for including the possibility of modifying user attributes (must-change-at_next-login, profile-path, home-drive, home-directory, etc)? For the moment, it seems the only way to do this is when the user is created (samba-tool newuser) or by doing so via 'administrative tools' via a Windows machine. Thank You! -- Luc Lalonde, analyste

Hello Folks, I've successfully created a GPO for user logon scripts with Samba4... However, the 'SYSVOL\domain\Policies' folder and contents is not replicated to the other DC's. Is this normal? It is working, but it seems that this is a 'single point of failure' for 'logon' scripts. Thank You! -- Luc Lalonde, analyste

Hello Folks, I'm trying to get a logon script to execute via a GPO with Samba 4.0.5. I used the Group Policy Editor that came with the Administration tools and linked a simple 'logon.bat' batch file to automatically mount a network share for a given 'OU=students'. When I log in with a user that's in this container, it does not seem to execute the login script. Anyone